Add a security harness script

This script toggles a Git pre-push hook that will prevent pushing to remotes other than dev when the harness is enabled.

Add a security harness script
ebdebae4 · Robert Speicher · dd8f56e8 · ebdebae4
Commit ebdebae4 authored 7 years ago by Robert Speicher
--- a/scripts/security-harness
+++ b/scripts/security-harness
+#!/usr/bin/env ruby
+
+require 'digest'
+require 'fileutils'
+
+harness_path = File.expand_path('../.git/security_harness', __dir__)
+hook_path    = File.expand_path("../.git/hooks/pre-push", __dir__)
+
+if File.exist?(hook_path)
+  # Deal with a pre-existing hook
+  source_sum = Digest::SHA256.hexdigest(DATA.read)
+  dest_sum   = Digest::SHA256.file(hook_path).hexdigest
+
+  if source_sum != dest_sum
+    puts "#{hook_path} exists and is different from our hook!"
+    puts "Remove it and re-run this script to continue."
+
+    exit 1
+  end
+else
+  File.open(hook_path, 'w') do |file|
+    IO.copy_stream(DATA, file)
+  end
+end
+
+# Toggle the harness on or off
+if File.exist?(harness_path)
+  FileUtils.rm(harness_path)
+
+  puts "Security harness removed -- you can now push to all remotes."
+else
+  FileUtils.touch(harness_path)
+
+  puts "Security harness installed -- you will only be able to push to dev.gitlab.org!"
+end
+
+__END__
+#!/bin/sh
+
+set -e
+
+url="$2"
+harness=`dirname "$0"`/../security_harness
+
+if [ -e "$harness" ]
+then
+  if [[ "$url" != *"dev.gitlab.org"* ]]
+  then
+    echo "Pushing to remotes other than dev.gitlab.org has been disabled!"
+    echo "Run scripts/security-harness to disable this check."
+    echo
+
+    exit 1
+  fi
+fi